Personal Data (2) Flashcards
What are the 4 building blocks to identify personal data?
- any information
- relating to
- an identified or identifiable
- natural person (data subject)
What is anonymous data?
information not related to an identified or identifiable natural person
or
that has been rendered unidentifiable
Article 26: GDPR does not apply to processing of anonymous data
What is pseudonymous data?
processing of personal data in a way that it can no longer be attributed to a specific data subject without the use of additional information
- additional information must be kept separately
- additional information subject to technical and organizational measures
What are special categories of data?
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (for purpose of uniquely identifying individual)
- Health data
- Sex life or sexual orientation
processing of special category data prohibited under Article 9
Is data related to criminal convictions and offenses considered special category data under GDPR?
No.
Article 10: processing only under control of official authority or when processing is authorized by Union or Member State law providing for appropriate safeguards for rights and freedoms
comprehensive register of criminal convictions only kept under control of official authority
Is device dynamic IP address considered personal data?
Yes.
- Static - always relates to a single individual
- Dynamic - there is a pattern of identification
Does information need to be true to be considered personal data?
No.
any statements, objective or subjective, considered personal data
What content can be considered personal data?
information about an individual’s
- private life
- activities
For personal data to relate to an individual one of three elements must apply:
personal data must:
- be about them
- used to evaluate them
- impact their rights and freedoms
T/F: A person is identifiable when it is possible to do it, even if they haven’t been identified yet
(Opinion 4/2007)
True
What is the threshold for the possibility of identification?
Recital 26
reasonable likelihood, considering costs, amount of time, available technology and technological developments
Does GDPR apply to personal data of deceased persons?
No.
member states may provide for specific rules in this area
Recital 27
Is processing of photographs considered special category of personal data?
Not systematically, depends on the purpose of processing the photograph
How is pseudonymization defined in GDPR?
processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject, without the use of additional information, provided that such information is kept separately and is subject to safeguards
Why is pseudonymization promoted by GDPR?
as a safeguard to achieve data minimization for privacy
additional protection for determining compatibility of new purpose with original purpose